[Security Weekly] Enterprise Password Manager Passwordstate Exploited for Supply Chain Attack

cover image

5th Week of April 2021


1. Enterprise password manager Passwordstate exploited for supply chain attack

On April 23, cybersecurity firm CSIS Group disclosed on its blog that it had discovered a cyberattack on Click Studios, an Australian firm behind the popular enterprise password manager Passwordstate.

It said that between April 20 and April 22, hackers gained access to Click Studios’ CDN which hosted servers of Passwordstate. The hackers then corrupted the files of an important software update by injecting a malware dubbed Moserpass. The malware would extract data stored in Passwordstate and send it to a C & C server controlled by the attackers.

Since the intrusion was detected early, only those who downloaded the corrupted update between April 20 and April 22 were at risk. However, the list of firms affected was not disclosed because even though Click Studios claims to serve 370,000 enterprise users at over 29,000 firms worldwide, it has a policy of not revealing its customers. The company did say that they had contacted all affected customers and advised them to reset their passwords stored in Passwordstate.

Corrupting software updates is the very same tactic used against SolarWinds Orion, which led to a massive supply chain attack affecting hundreds of organizations.

Sources: SC Media, Bleeping Computer


2. UnitingCare Queensland faces service disruptions following ransomware attack

UnitingCare Queensland (UCQ), a major provider of healthcare, disability support, and aged care in the Australian state of Queensland, suffered a ransomware attack on April 25 that led to the shutdown of a number of its IT systems. Several major hospitals in Brisbane run by UCQ may have been affected.

The hackers were able to use ransomware to infect UCQ’s email and booking systems. This forced its staff members to go back to paper-based manual processes. Many patients either were redirected to other facilities or had their appointments rescheduled.

The Australian Cyber Security Centre (ACSC) was notified while forensic experts joined to investigate the incident. The ACSC has warned last year about the increased ransomware attacks on healthcare providers in the country.

Sources: ZDNet, Computer Weekly, IT News


3. Washington D.C. police attacked by Babuk ransomware, sensitive data compromised

On April 26, the Babuk ransomware gang claimed to have successfully breached the IT network of the District of Columbia’s Metropolitan Police Department (MPD) and stole more than 250 GB of unencrypted data. The Babuk ransomware is a newly emerged ransomware strain in 2021 and has been actively recruiting affiliates on Russian-speaking forums.

The gang claimed responsibility for the attack by uploading screenshots of the stolen files on its leak site. Compromised data seemed to include police reports, memos containing detailed information on gang conflicts, as well as the personal information of people arrested. The attackers emphasized that one of the files was related to arrests following the January 6 Capitol storm.

MPD confirmed that their systems were breached and that it had contacted the FBI for further investigation. MPD was told to pay the demanded ransom within three days, after which if the demands were not met, these sensitive data would be released to local gangs. 

Sources: Bleeping Computer, BBC


4. Wyoming Department of Health exposes medical data of 25% of state residents

On April 27, the Wyoming Department of Health (WDH) published a statement on its website warning the public of a sensitive data exposure incident involving 164,021 Wyoming residents. That is one in four residents of the state.

A WDH employee working in the Public Health Division accidentally uploaded 53 sets of files to private and public online storage repositories hosted by GitHub, all of which were publicly accessible. The exposed files contained medical data such as COVID-19 and influenza test results, breathalyzer test results, patient names or IDs, dates of birth, home addresses, and test dates.

The data were uploaded on November 5, 2020 and were only discovered by WDF on March 10, 2021. During this time, threat actors could have used these data for criminal activities. WDF has been contacting the victims on an individual basis, and offered all victims one year of free identity protection service.

Sources: Threatpost, Infosecurity


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security